Richard Power delves beyond the media hysteria surrounding Internet crime. He provides case studies of several important cybercrimes from the last few years, many of which have surprisingly escaped public notice. This chapter examines three cases of hackers who broke into computer systems of government agencies, military bases, universities, and foreign countries.

One of the greatest misconceptions among the many who hamper the defense of
cyberspace is the idea that all hacking is done only by juvenile joy riders:
i.e., youthful geniuses bent on embarrassing law enforcement and the military.
Of course, one of the ways in which this misconception is spread is through
the mainstream media. Most cases that reach the light of day usually do end
up involving juvenile hackers.

Why? Well, cases involving true cyberterrorists, information warriors, intelligence
agencies, and corporate spies slip below the surface of the headlines. They
are lost in the murky waters of “classified operations” or are swept
under thick corporate carpets. ( You’ll read more about such cases in Chapter
10 and Chapter 12.)

Juvenile hackers or other “sport hackers” (a term used to describe
hackers who break into systems for the same reasons but aren’t minors)
end up in the newspapers because they get caught. They also end up in the headlines
because they seek the limelight. Furthermore, acknowledging their activities
doesn’t open a Pandora’s box for the government agency or the corporation
that was hit. If a government agency acknowledged an intelligence operation
conducted by another country, there could be serious diplomatic or even military
consequences. If a major corporation acknowledged a hack attack in which trade
secrets were compromised seemingly by another corporation, there would be a
public relations debacle: for example, their stock could dive, law suits could
get filed, etc.

Nevertheless, juvenile or sport hackers, or joy riders, have wreaked
a lot of havoc and mayhem over the years.

Here are some of the details of three high-profile stories, stretching from
1994 to 1999, that illustrate some of the lessons learned and unlearned along
the way.

The Rome Labs Case: Datastream Cowboy and Kuji Mix
It Up with the U.S. Air Force

The Rome Air Development Center (Rome Labs), located at Griffiss Air Force
Base (New York), is the U.S. Air Force’s premier command-and-control research
facility.

On March 28, 1994, Rome Labs’s system administrators (sysadmins) noticed
that a password sniffer, a hacking tool that gathers user’s login
information, had been surreptitiously installed on a system linked to the Rome
Labs network. The sniffer had collected so much information that it filled the
disk and crashed the system, according to James Christy, who was director of
Computer Crime Investigations for the Air Force Office of Special Investigations.

The sysadmins informed the Defense Information Systems Agency (DISA) that the
Rome Labs network had been hacked into by an as yet unknown perpetrator. The
DISA Computer Emergency Response Team (CERT), in turn, informed the Air Force
Office of Special Investigations (AFOSI) of the report of an intrusion. The
AFOSI, in turn, informed the Air Force Information Warfare Center (AFIWC), headquartered
in San Antonio, Texas.

An AFOSI team of cybercrime investigators and security experts was dispatched
to Rome Labs. They reviewed audit trails and interviewed the sysadmins. The
conclusions that they reached in their preliminary investigation were very disturbing.

Two hackers had broken into seven different computers on the Rome Labs network.
They had gained unlimited access, downloaded data files, and secreted sniffers
on every one of them. The seven sniffers had compromised a total of 30 of Rome
Labs’s systems.

These systems contain sensitive research and development data.

System security logs disclosed that Rome Labs’s systems had been actually
been hacked into for the first time on March 23, five days before the discovery
made on March 28.

The investigation went on to disclose that the seven sniffers had compromised
the security of more than 100 more user accounts by capturing user logons and
passwords. Users’ e-mail messages had been snooped, duplicated, and deleted.
Sensitive battlefield simulation program data had been pursued and purloined.
Furthermore, the perpetrators had used Rome Labs’s systems as a jumping-off
point for a series of hack attacks on other military, government, and research
targets around the world. They broke into user accounts, planted sniffer programs,
and downloaded massive quantities of data from these systems as well.

The investigators offered the Rome Labs commanding officer the option of either
securing all the systems that had been hacked or leaving one or more of them
open to attack. If they left a few systems open, they could monitor the comings
and goings of the attackers in the hope of following them back to the their
point of origination and identifying them.

The commander opted to leave some of the systems open to lay a trap for the
intruders.

Investigators Wrestle with Legal Issues and Technical Limitations

Using standard software and computer systems commands, the attacks were initially
traced back one leg of their path. The majority of the attacks were traced back
to two commercial Internet service providers, cyberspace.com, in Seattle, Washington
and mindvox.phantom.com, in New York City.

Newspaper articles indicated that the individuals who provided mindvox.phantom.
com’s computer security described themselves as “two former East Coast
Legion of Doom members.”

The Legion of Doom (LoD) was a loose-knit computer hacker group that had several
members convicted for intrusions into corporate telephone switches in 1990 and
1991. Because the agents did not know whether the owners of the New York Internet
service provider were willing participants or merely a transit point for the
break-ins at Rome Labs, they decided not to approach them. Instead, they simply
surveiled the victim computer systems at Rome Labs’s network to find out
the extent of the intruders’ access and identify all the victims.

Following legal coordination and approval with Headquarters, AFOSI’s legal
counsel, the Air Force General Counsel’s Office, and the Computer Crime
Unit of the Department of Justice, real-time content monitoring was established
on one of Rome Labs’s networks. Real-time content monitoring is analogous
to performing a wiretap because it allows you to eavesdrop on communications,
or in this case, text. The investigative team also began full keystroke monitoring
at Rome. The team installed a sophisticated sniffer program to capture every
keystroke performed remotely by any intruder who entered the Rome Labs.

This limited context monitoring consisted of subscribing to the commercial
ISPs’ services and using only software commands and utilities the ISP authorized
every subscriber to use. The team could trace the intruder’s path back
only one leg. To determine the next leg of the intruder’s path required
access to the next system on the hacker’s route. If the attacker was using
telephone systems to access the ISP, a court-ordered “trap and trace”
of telephone lines was required.

Due to time constraints involved in obtaining such an order, this was not a
viable option. Furthermore, if the attackers changed their path, the trap and
trace would not be fruitful. During the course of the intrusions, the investigative
team monitored the hackers as they intruded on the system and attempted to trace
the intruders back to their origin. They found the intruders were using the
Internet and making fraudulent use of the telephone systems, or “phone
phreaking.”

Because the intruders used multiple paths to launch their attacks, the investigative
team was unable to trace back to the origin in real-time due to the difficulty
in tracing back multiple systems in multiple countries.

In my interview with James Christy for this book, he provided fascinating insight
into the deliberations over what capabilities could be used to pursue the investigation.

“The AFIWC worked the Rome Labs case with us,” Christy says. “They
developed the Hackback tool right at Rome.” According to Christy, Hackback
is a tool that does a finger back to the system the attack came from, then launches
a scripted hack attack on that system, surveils the system, finds the next leg
back, and then launches a scripted attack on that system. Hackback was designed
to follow them all the way back over the Internet to their point of origination.

“Well, AFIWC developed this tool,” Christy continues, “but we
told them, ‘Hey, you can’t use that ’cause it’s illegal.
You’re doing the same thing as the hacker is doing: You’re breaking
into systems.’ They said, General Minihan [who was at that time the head
of the NSA] says, ‘We’re at war, we’re going to use it.’
My guys had to threaten to arrest them if they did. So we all said, ‘Let’s
try something.’”

Christy tells me there was a big conference call involving the DoJ, the Secret
Service, the FBI, AFOSI, and the guys that were up at Rome Labs. “We all
claimed exigent circumstances, a hot pursuit. Scott Charney [who was at that
time the head of DoJ’s computer crime unit] gave us the approval to go
run Hackback one time. We did it, but it didn’t buy us anything. The hackers
weren’t getting into those nodes via the Internet. They were getting in
through telephone dial-ups. So it dead-ended where we already knew it was coming
from.”

Datastream Cowboy’s Biggest Mistake

As the result of the monitoring, the investigators could determine that the
hackers used the nicknames Datastream and Kuji. With this clue, AFOSI Computer
Crime Investigators turned to their human intelligence network of informants
that surf the Internet. The investigators levied their informants to identify
the two hackers using the handles Datastream and Kuji.

“Our investigators went to their sources,” Christy recalls, “saying,
‘Help us out here, anybody know who these guys are?’ And a day and
a half later, one of these sources came back and said, ‘Hey, I got this
guy. Here’s his e-mail!’”

According to Christy, these informants have diverse motivations. Some of them
want to be cops; some of them want to do the right thing; some of them simply
find hacking exciting; some of them have pressure brought to bear on them because
of their own illegal activities.

Indeed, whatever the motivation, on April 5, 1994, an informant told the investigators
he had a conversation with a hacker who identified himself as Datastream Cowboy.

The conversation was via e-mail and the individual stated that he was from
the United Kingdom. The on-line conversation had occurred three months earlier.
In the e-mail provided by the informant, Datastream indicated he was a 16-year-old
who liked to attack .mil sites because they were so insecure.

Datastream had even provided the informant with his home telephone number for
his own hacker bulletin board systems he had established.

Bragging of his hacking feats, as Christy explains, was Datastream Cowboy’s
big mistake.

“It was the only way we solved the case,” he said. “If we had
to rely on surveillance alone, we never would have traced it back to them because
of all the looping and weaving through South America. We would have been working
with multiple countries.

“Did these South American countries have laws against hacking?” Christy
continues. “No. Would the South Americans have been able to do a trap and
trace? Maybe not. Remember, they were using telephone lines.”

The Air Force agents had previously established a liaison with New Scotland
Yard who could identify the individuals living at the residence associated with
Datastream’s telephone numbers.

New Scotland Yard had British Telecom initiate monitoring of the individual’s
telephone lines with pen registers. A pen register records all the numbers dialed
by the individuals at the residence. Almost immediately, monitoring disclosed
that someone from the residence was phone phreaking through British Telecom,
which is also illegal in the United Kingdom.

Within two days, Christy and the investigative team knew who Datastream Cowboy
was. For the next 24 days, they monitored Datastream’s online activity
and collected data.

During the 26-day period of attacks, the two hackers, Datastream Cowboy and
Kuji, made more than 150 known intrusions.

Scotland Yard Closes in on Datastream Cowboy

New Scotland Yard found that every time an intrusion occurred at Rome Labs,
the individual in the United Kingdom was phone-phreaking the telephone lines
to make free telephone calls out of Britain. Originating from the United Kingdom,
his path of attack was through systems in multiple countries in South America
and Europe, and through Mexico and Hawaii; occasionally he would end up at Rome
Labs. From Rome Labs, he was able to attack systems via the Internet at NASA’s
Jet Propulsion Laboratory in California and its Goddard Space Flight Center
in Greenbelt, Maryland.

Continued monitoring by the British and American authorities disclosed that
on April 10, 1994, Datastream successfully penetrated an aerospace contractor’s
home system. The attackers captured the contractor’s logon at Rome Labs
with sniffer programs when the contractor logged on to home systems in California
and Texas. The sniffers captured the addresses of the contractor’s home
system, plus the logon and password for that home system. After the logon and
password were compromised, the attackers could masquerade as that authorized
user on the contractor’s home system. Four of the contractor’s systems
were compromised in California and a fifth was compromised in Texas.

Datastream also used an Internet Scanning Software (ISS)(1)attack on multiple systems belonging to this aerospace contractor. ISS
is a hacker tool developed to gain intelligence about a system. It attempts
to collect information on the type of operating system the computer is running
and any other available information that could be used to assist the attacker
in determining what attack tool might successfully break into that particular
system. The software also tries to locate the password file for the system being
scanned, and then tries to make a copy of that password file.

The significance of the theft of a password file is that, even though password
files are usually stored encrypted, they are easily cracked. Several hacker
“password cracker” programs are available on the Internet. If a password
file is stolen or copied and cracked, the attacker can then log on to that system
as what the systems perceive is a legitimate user.

Monitoring activity disclosed that, on April 12, Datastream initiated an ISS
attack from Rome Labs against Brookhaven National Labs, Department of Energy,
New York. Datastream also had a two-hour connection with the aerospace contractor’s
system that was previously compromised.

Kuji Hacks into Goddard Space Flight Center

On April 14, 1994, remote monitoring activity of the Seattle ISP conducted
by the Air Force indicated that Kuji had connected to the Goddard Space Flight
Center through an ISP from Latvia. The monitoring disclosed that data was being
transferred from Goddard Space Flight Center to the ISP. To prevent the loss
of sensitive data, the monitoring team broke the connection. It is still not
known whether the data being transferred from the NASA system was destined for
Latvia. (Latvia as a destination for sensitive data was, of course, something
that concerned investigators. After all, the small Baltic nation had only recently
become independent of Russian domination. It had been a part of the former U.S.S.R.)

Further remote monitoring activity of cyberspace.com disclosed that Datastream
was accessing the National Aero-Space Plane Joint Program Office, a joint project
headed by NASA and the Air Force at Wright-Patterson Air Force Base, Ohio. Monitoring
disclosed a transfer of data from Wright-Patterson traversing through cyberspace.com
to Latvia.

Apparently, Kuji attacked and compromised a system in Latvia that was just
being used as conduit to prevent identification. Kuji also initiated an ISS
attack against Wright-Patterson from cyberspace.com the same day. He also tried
to steal a password file from a computer system at Wright-Patterson Air Force
Base.

Kuji Attempts to Hack NATO HQ

On April 15, real-time monitoring disclosed Kuji executing the ISS attack against
NATO Headquarters in Brussels, Belgium, and Wright-Patterson from Rome Labs.
Kuji did not appear to gain access to any NATO systems from this particular
attack. However, when interviewed on April 19 by AFOSI, a systems administrator
from NATO’s SHAPE Technical Center in the Hague, Netherlands, disclosed
that Datastream had successfully attacked one of SHAPE’s computer systems
from the ISP mindvox.phantom.com in New York.

After authorities confirmed the hacker’s identity and developed probable
cause, New Scotland Yard requested and obtained a search warrant for the Datastream
Cowboy’s residence. The plan was to wait until the individual was online
at Rome Labs, and then execute the search warrant. The investigators wanted
to catch Datastream online so that they could identify all the victims in the
path between his residence and Rome Labs. After Datastream got online at Rome
Labs, he accessed a system in Korea, downloaded all data stored on the Korean
Atomic Research Institute system, and deposited it on Rome Labs’s system.

Initially, it was unclear whether the Korean system belonged to North or South
Korea. Investigators were concerned that, if it did belong to North Korea, the
North Koreans would think the logical transfer of the storage space was an intrusion
by the U.S. Air Force, which could be perceived as an aggressive act of war.
During this time frame, the United States was in sensitive negotiations with
the North Koreans regarding their nuclear weapons program. Within hours, it
was determined that Datastream had hacked into the South Korean Atomic Research
Institute.

At this point, New Scotland Yard decided to expand its investigation, asked
the Air Force to continue to monitor and collect evidence in support of its
investigation, and postponed execution of the search warrant.

Scotland Yard Knocks on Datastream Cowboy’s Door

On May 12, investigators from New Scotland Yard executed their search warrant
on Datastream’s residence.

When they came through the door, 16-year-old Richard Pryce (a.k.a. Datastream
Cowboy) curled up in the fetal position and wept.

The search disclosed that Datastream had launched his attacks with only a 25
MHz, 486 SX desktop computer with only a 170 megabyte hard drive. This is a
modest system, with limited storage capacity. Datastream had numerous documents
that contained references to Internet addresses, including six NASA systems
and U.S. Army and U.S. Navy systems with instructions on how to loop through
multiple systems to avoid detection.

At the time of the search, New Scotland Yard detectives arrested and interviewed
Datastream. Detectives stated that Datastream had just logged out of a computer
system when they entered his room. Datastream admitted to breaking into Rome
Labs numerous times as well as multiple other Air Force systems (Hanscom Air
Force Base, Massachusetts, and Wright-Patterson). (He was charged with crimes
spelled out in Britain’s Computer Misuse Act of 1990.)

Datastream admitted to stealing a sensitive document containing research regarding
an Air Force artificial intelligence program that dealt with Air Order of Battle.
He added that he searched for the word missile, not to find missile data
but to find information specifically about artificial intelligence. He further
explained that one of the files he stole was a 3–4 megabyte file (approximately
three to four million characters in size). He stored it at mindvox.phantom.com’s
system in New York because it was too large to fit on his home system.

Datastream explained he paid for the ISP’s service with a fraudulent credit
card number that was generated by a hacker program he had found on the Internet.
Datastream was released on bail following the interview.

This investigation never revealed the identity of Kuji. From conduct observed
through the investigators’ monitoring, Kuji was a far more sophisticated
hacker than the teenage Datastream. Air Force investigators observed that Kuji
would only stay on a telephone line for a short time, not long enough to be
traced successfully. No informant information was available except that Computer
Crime Investigators from the Victoria Police Department in Australia had seen
the name Kuji on some of the hacker bulletin-board systems in Australia.

Unfortunately, Datastream provided a great deal of the information he stole
to Kuji electronically. Furthermore, Kuji appears to have tutored Datastream
on how to break into networks and on what information to obtain. During the
monitoring, the investigative team could observe Datastream attack a system
and fail to break in. Datastream would then get into an online chat session
with Kuji, which the investigative team could not see due to the limited context
monitoring at the Internet service providers. These chat sessions would last
20–40 minutes. Following the on-line conversation, the investigative team
would then watch Datastream attack the same system he had previously failed
to penetrate, but this time he would be successful. Apparently Kuji assisted
and mentored Datastream and, in return, received stolen information from Datastream.
Datastream, when interviewed by New Scotland Yard’s Computer Crime Investigators,
told them he had never physically met Kuji and only communicated with him through
the Internet or on the telephone.

Kuji’s Identity Is Finally Revealed

In 1996, New Scotland Yard was starting to feel some pressure from the glare
of publicity surrounding the upcoming hearings in the U.S. Senate, chaired by
Sam Nunn (D-Georgia). Two years had passed since the arrest of the Datastream
Cowboy, and yet Kuji was still at large.

New Scotland Yard investigators went back to take a closer look at the evidence
they had seized and found a phone number that they hadn’t traced back to
its origin. When they did trace it, they discovered Kuji’s true identity.
Ten days after Jim Christy’s initial testimony concerning the Rome Lab
intrusions, 21-year-old Matthew Bevan (a.k.a. Kuji) was finally apprehended.

In court, Pryce pleaded guilty to 12 hacking offenses and paid a nominal fine
of 1,200 British pounds.

But Bevan, whose father was a police officer, “lawyered-up.”

After 20 hearings in which the defense challenged the Crown’s evidence,
the prosecution made a “business decision” and dropped the charges.

Bevan is now a computer security consultant. His Web site, www.bogus.net/kuji,
features an archive of news media coverage of the Rome Labs case, a timeline
of his exasperating and successful legal maneuvers, photographs of his arresting
officers, and scanned headlines from the London tabloids.

In my interview with Bevan, I asked him about the motivation in the attack
on Rome.

“My quest,” he tells me, “was for any information I could find
relating to a conspiracy or cover-up of the UFO phenomenon. I was young and
interested in the UFO stuff that I had read and of course as I had the access
to such machines that were broken (i.e., with poor security) it was a natural
progression to seek out information.

“Also,” Bevan continues, “I was bullied almost every day of
my school life; the hacking world was pure escapism. I could go to school, endure
the day, come home, and log on to another world. Somewhere I could get respect,
somewhere that I had friends.

“At school I may have been bullied but in the back of my mind was ‘Well,
I hacked NASA last night, and what did you do?’”

I also asked Bevan if he wanted to set the record straight in regard to how
authorities handled the case or how the media reported it.

“One of the biggest concerns that I have about the reporting of the case
relates to the InfoWar aspect,” he says. “It is suggested that we
were taken to the brink of WWIII because of an attack on the Korean nuclear
research facility. A Secret Service agent here alleged that bombers were already
on their way to Korea to do a preemptive strike as it was thought that when
they discovered the attack, said to have come from a U.S. military computer,
they would retaliate.

“In the evidence presented in the case,” Bevan says, “there
was a snippet of a log that shows Datastream Cowboy logging into said facility
with the user ID of ‘sync,’ and as the user has no Unix shell associated
with it, the login is terminated. Nowhere else in the logs is any record of
the intrusion being successful, and in my opinion the logs do not reflect that.
Being called ‘the single biggest threat to world peace since Adolf Hitler’
is a tad annoying, but then even the layman can see that is just hype and propaganda.”

Who Can Find the Bottom Line?

A damage assessment of the intrusions into the Rome Labs’s systems was
conducted on October 31, 1994. The assessment indicated a total loss to the
United States Air Force of $211,722. This cost did not include the costs of
the investigative effort or the recovery and monitoring team.

No other federal agencies that were victims of the hackers (for example, NASA)
conducted damage assessments.

The extent of the attack. The investigators believe they uncovered
only a portion of the attack. They still don’t know whether the hackers
attacked Rome Labs at previous times before the sniffer was discovered or
whether the hackers attacked other systems where they were not detected.

The extent of the damage. Some costs can be attributed to the incident,
such as the cost of repair and the cost of the investigative effort. The
investigation, however, was unable to reveal what they downloaded from the
networks or whether they tampered with any data. Given the sensitive information
contained on the various computer networks (at Rome Labs, Goddard Space
Flight Center, the Jet Propulsion Laboratory, Wright-Patterson AFB, or the
National Aero-Space Plane Program), it is very difficult to quantify the
loss from a national security perspective.